As part of making sure we are providing the users of our service with the best information on vulnerabilities in WordPress plugins they may be using we monitor for indications that security vulnerabilities have been fixed in new versions of the plugins. Today that led to us looking at Project Supremacy Lite (Project Supremacy V3 Lite) where the changelog for the latest version is “Added some security fixes.” The changes made in that version look to be escaping the output of the plugin’s settings. Normally the lack of that wouldn’t be a vulnerability because only Administrators are allowed to change the settings and they can do anything they want with WordPress already. When we went to check to see if that was the case with this plugin we found that anyone logged in to WordPress can change the plugin’s settings and one of those settings is intended to be used to place JavaScript code on all of the frontened pages of the website, which would lead to an authenticated persistent cross-site scripting (XSS) vulnerability.

The plugin registers the function that handles saving the plugin’s setting, saveGeneral() to anyone logged in to WordPress: [Read more]